Whether they know it or not, everyone in an organization from the janitor to the CEO engages in “risk management” of one sort or another on a daily basis. For example:
- The janitor will put up a “caution, wet floor” sign after cleaning the bathrooms or at the entrance to the building on a rainy day.
- The company will purchase liability insurance in the event of a mistake or otherwise extremely unhappy customer.
- The IT Director will be on the lookout for vulnerabilities and take steps to protect the company’s data and systems.
There’s no doubt that actions like these are critical, but as I’ll explain in the sections below, this is a very risk-based, siloed approach to managing risk.
For a quick glance of differences, see the table below, or continue reading for more in-depth analysis of the differences between traditional and enterprise risk management.
1. Insurable vs. Non-insurable (Mostly)
In a traditional risk management framework, an organization only looks at things that are insurable.
In the wet floor example from earlier, the janitor not only puts out a sign to warn people about a slippery surface, the company will also have liability and workers’ compensation insurance in the event someone does slip and get hurt. Purchasing insurance for any company vehicles or equipment is another example.
ERM, on the other hand, goes beyond insurable hazards to include areas of risk that cannot be transferred through insurance. If a data breach occurs for example, the company could have insurance to help offset the cost of responding and addressing the problem.
However, this breach could also damage the organization’s reputation, which of course is not insurable. Proactive measures to protect information from hackers, malware, and misuse will need to be done to reduce the likelihood of this occurring.
Other examples of non-insurable risks include:
- Strategic goals – if a company is unable to achieve its strategic goals, it will not be able to file a claim with an insurance company to recoup costs. ERM helps executives understand risks and opportunities to provide more assurance that goals will be met.
- Social media – impacts can go beyond reputation to include customer service, product sales, and even the long-term viability of the company if they can’t keep up with the marketing and expectations of consumers.
- Vendor disruptions – some risks can be transferred through insurance, but many cannot. Vendor disruptions can not only impact reputation, they can lead to production delays, lost revenue, and more.
- Mergers & Acquisitions – although connected to strategic goals, risks and opportunities around M&A deals are not insurable. This story about Prudential’s acquisition of an online insurance startup illustrates all of the considerations that go into such a large deal.
- Lack of innovation – shifting consumer and technological trends are certainly not insurable. Organizations slow to adapt will struggle or may even go out of business altogether…just ask Kodak.
Sometimes risks like these are not a big deal, but put together, they can take a company down.
2. One-Dimensional Assessment (Severity) vs. Multi-Dimensional Assessment
Besides only looking at an issue from a loss prevention perspective, traditional risk management also only considers the impact or severity of a given issue at a certain point in time. I emphasize issue because in many cases, traditional risk management is looking at something that has already occurred and will occur again (issue) rather than the possibility of something (risk).
Consider our wet floor example – A company safety officer or facilities director will typically only consider what will happen if someone slips and falls, taking action to mitigate this risk through liability insurance and safety improvements. They are evaluating, at least informally, something they know is going to happen.
In some cases, traditional risk management activities will also consider the probability of a certain risk or issue affecting the organization.
While ERM also considers impact and probability, it peels the onion layers back to understand more about potential events (i.e. risks) and how they relate to the strategic plan, organizational mission, or a specific operation.
Besides impact, ERM will definitely look at probability on a consistent basis as opposed to evaluating it sporadically, which alone adds tremendous value for the organization. Other parameters or questions ERM will consider include:
- How fast will we feel the effects of the risk? (Velocity)
- How widespread will the risk be? (Pervasiveness)
- How long will the effects of the risk last? (Persistence)
- How prepared are we to respond? (Preparedness)
- How effective are existing risk mitigation or “control” activities? (Effectiveness)
The tendency for many organizations is to jump right into assessing risks from multiple dimensions. However, it can take time for an organization to do this effectively. Keeping things simple in the beginning is valuable for better understanding risks and opportunities without being overwhelming.
Looking at risks or issues beyond the single lens of loss prevention provides decision-makers with more information to prioritize resources to ensure the organization is focusing on the right risks, at the right time, and in the right amount. A risk may have a catastrophic impact, but if its chances of occurring are very low, it would be unwise to use scarce resources on mitigating it.
Being more targeted frees up more resources to focus on achieving strategic objectives.
3. Manage Risks One by One vs. Analyzing Material Risks & How They Relate
In a traditional silo environment, the management of risks occurs as needed on an individual basis. Departments will only look at risks within their areas and not communicate with other parts of the company. Approaching risk management this way can expose a company to much bigger risks at worst, and at best, causes the company to miss out on opportunities to meet or exceed strategic goals.
On the flip side, ERM combines these activities and uses a variety of tools to examine interdependencies, understand triggers between risks and cumulative effects of risks, and more. These tools help senior management better allocate resources and prioritize risks.
The first tool is risk appetite and tolerance. Risks are compared to the applicable tolerance to determine the appropriate response. It is during this analysis where organizations may find some risks are being over-managed since they are well below their tolerance level. Going through this process allows executives to re-direct resources to more urgent needs.
For risks that are above the tolerance, a root cause analysis can be done to understand where resources should be focused. Root cause analysis is especially useful for understanding complex or urgent risks. The simplest way to describe root cause analysis is to ask “why?” until you reach the true cause. If it’s determined that two or more risks share the same root cause, addressing this root cause can provide double the benefits.
A couple words of caution:
- One, it can take time to realize the wide-reaching benefits of using tools like risk appetite and root cause analysis, but don’t be afraid to start. After all, if you don’t start, you will never realize the benefits!
- Two, fully understanding cumulative effects of a risk requires sophisticated computer models for example, which can be very complicated, especially if there isn’t any actuarial or scientific expertise in your organization. (Don’t be afraid to outsource this function if needed.)
Although understanding connections between risks and cumulative effects is more advanced, getting to this point will provide tremendous benefits to the organization.
4. Occurs Within One Business Unit (“Siloed”) vs. Spanning the Entire Organization (“Holistic”)
Traditional risk management occurs within one department, or put another way, occurs in its own “silo” or “stove pipe.” Most organizations are going to be well experienced with this basic level of risk management.
As explained in the following video though, conducting risk management this way can inadvertently create risks in other areas, or create risks that fall between siloes that will be missed altogether. The IT Director is addressing a technology risk but creates a new legal risk in the process, or addressing a legal risk creates new talent risks.
Another shortcoming of the stove-pipe approach is that it often leads to wasted resources. A particular risk may have a big impact to a department but minimal impact to the organization as a whole. Take this revenue risk from a client as an example: During a risk assessment discussion, the department head listed it as a severe impact, but when the risk is considered in the context of the whole organization, its rating dropped several points to minor.
What also occurs when risks fall between silos is no one department wants to take ownership…
Risk around vendors, especially ones who deal with more than one department within the enterprise, is a great example. A new product line is another example – which department will own all of the risks associated with a project like this (i.e. production, communications, competitors, regulations, etc.)?
Enterprise risk management ties these disparate siloes together to give executives and business units a holistic view of risk and opportunities. It is a top-level process that overrides any autonomy a particular department may have by bringing together a multi-functional group of people to discuss risk at the organizational level.
Trisha Sqrow, Assistant Vice President of Risk Management at Dallas-Fort Worth International Airport, explains that taking this holistic approach is “…a true team effort.”
In larger organizations or ones with a robust ERM program, there is typically a director, vice president, or chief risk officer role who will tie all of the different siloes together so executives can get the entire picture of risks that could help or harm the organization’s ability to meet its goals.
5. Reactive & Sporadic (Rear-view) vs. Proactive & Continuous (Forward-view)
Examples provided in the beginning of this article are great examples of an organization reacting to a particular issue.
A rear-view will also not consider risks to objectives. While there may be a list of risks, thought leader and consultant Tim Leech explains how lists in a traditional risk management environment have nothing to do with “…the company’s top value creation objectives.” A survey I held last year explains how having a list of risks like this is frustrating for ERM professionals since they simply show executives what they already know. Below is an example of how it was phrased to me.
Traditional risk management activities are often borne out of a particular event that management responds to. Executives, managers and support staff will go into a scramble mode when something comes up.
A reactive approach can also result in business failure altogether. Take the example of Borders Bookstore, which in its day, was known as a “…killer of local bookstores.” However, starting the mid-‘90s, Borders began struggling after making a poor investment in CD and DVD sales just when the industry was starting to go digital.
As the other big-box book retailer, Barnes & Noble, began beefing up its online presence, Borders opted to refurbish its stores and even outsource online sales to Amazon! Many shoppers would explain how they would go to Borders to find books just to turn around and actually purchase them online.
Couple this with the success of Amazon’s Kindle and Barnes & Nobles’ Nook e-readers and it was only a matter of time.
One question that inevitably comes up in situations like this is “How could we have known this?”
Taking a more proactive approach like ERM helps the organization get out in front of risk or seize opportunities to achieving strategic objectives. Proactive can take two approaches: preparing for current day risks and identifying emerging risks that could affect the organization down the road. General Motors is one company that uses a virtual crystal ball to understand, prioritize, and factor risks and opportunities into its strategic and business plans for the next 1, 5, 10 or even 20-30 years.
6. Disjointed vs. Embedded in Culture & Mindset
Although every organization manages risks to one extent or another, these activities tend to be “disjointed” or ad-hoc with no rhyme or reason, no connection to strategic objectives, or other business areas. Marketing may embark on a certain project in pursuit of a strategic objective and take a few moments to identify risks to the project, but there is no conversation with other impacted areas or to gain a different perspective.
In cases like this though, the risk activities are more of a “CYA” documentation exercise than something that adds value by ensuring business units are making informed decisions.
Besides not providing any value to the enterprise as a whole, a disjointed approach also causes risks to be missed, new risks to be created, or a duplication of effort.
On the other hand, a mature ERM process that is a valuable decision-making tool is systematic and ingrained in processes and ways of thinking. This is not to imply that every action or decision requires a formal process for identifying and assessing risks – in many cases, this will be an informal process where a manager or even an employee will stop for a minute and think about how their actions may create reputation, talent, strategic, or some other risk to the enterprise.
Embedding a risk mindset in the culture of the organization means that risk becomes just another part of the business conversation and decision-making process. Executives and managers don’t see risk management as a compliance or “CYA” exercise, but instead a valuable tool in ensuring the company’s success.
Changing the culture of an organization to be more risk aware though is something that doesn’t happen overnight. Key to cultural changes is executive leadership – without the right tone at the top, the company will struggle to move beyond a disjointed approach to risk management.
7. Standardized vs. More Nuanced & Requires Soft Skills
Risk management in its traditional or basic form has been common practice for companies and non-profit organizations for many years. There is an assortment of designations an individual can earn from organizations like the National Alliance for Insurance Education and Research, RIMS, the Professional Risk Managers’ International Association (PRMIA), and others.
There are also numerous international standards around traditional risk management activities that organizations can refer to. ISO 27000 (IT) and ISO 18000 (Health and Safety) from the International Standards Organization are a couple of examples.
And for publicly-traded and insurance companies, regulators at both state and national levels are beginning to require annual reports on top risks.
Many organizations starting their ERM journey also have standards to refer to, with the two most common being COSO and ISO 31000. Both of these standards released updated versions in 2017 and 2018 respectively. Despite incorporating more on risk taking into both standards, many practitioners and thought leaders feel they are still too focused on managing risks instead of achieving organizational objectives.
Also, many organizations become frustrated when exclusively using one of these standards because they often experience stalled processes and minimal value to the organization.
ERM that focuses on enabling success requires a bit more finessing in order to be a valuable tool for decision-making.
Practitioners not only need to be familiar with various technical processes around ERM (i.e. identification, assessment, etc.), they also need to have a combination of soft skills in order to transform risk management from a compliance-oriented exercise into one that plays a significant role in ensuring the company’s success.
8. Risk Averse vs. Risk Taking
The original version of this article explained how traditional risk management focuses solely on losses while ERM considers both the upside and downside of risks. This is true, but as long-standing ERM thought leaders explain, the difference goes much deeper than this.
Up to this point, you may have noticed how the word “risk” has been used in the negative sense – in other words, seeing risks as threats and something to avoid or mitigate.
In his book Risk Management in Plain English: A Guide for Executives, Norman Marks discusses how traditional risk management is about managing a list of “so-called risks.” BUT…
“Risk management is really about increasing the likelihood of achieving your objectives.”
It would not be an earth-shattering statement to say that any business has to take risks in order to be successful. At the current pace of change in our world, which will only accelerate as time goes on, companies who simply avoid risks and fail to take calculated, informed risks to improve business performance will not remain relevant in the long-term.
Good executives understand this…they always weigh the pros and cons and “taking risks.” And this doesn’t only happen at the executive-level either.
However, are they making decisions like this in a systematic way?
This is where ERM comes in – it helps executives make informed and intelligent decisions and provides a framework for others to follow to ensure the organization is taking the right level of the right risks.
Another thought leader, Hans Læssøe, describes in his book, Prepare to Dare, different levels of risk management with basic (traditional) at the bottom and progressive at the top. Basic risk management in the form of insurance and health and safety is pretty universal in one form or another. From there, most large organizations are going to evaluate risk around projects and strategy, but it still occurs in a silo in many cases.
More advanced companies are going to take things further to discuss risk taking explicitly and embed this way of thinking throughout the organization in a systematic way. This essentially “changes management of risks from being a governed and required effort to be a cultural element which is ‘just being done’.”
Like Hans and others explain, the world is changing, and the risk management profession is no different. Many “traditional” risk management tasks and compliance activities will likely become automated in the years ahead in what’s known as the 4th industrial revolution.
Keeping pace with change and learning how practitioners can adapt their role to be more of an active partner in the organization’s success will be the key to maintaining and growing ERM in the decades ahead.
This article was originally written for ERM Insights by Carol.